[OPENAM-7720] A refresh_token created with 12.0.2 cannot be used with 12.0.3 Created: 04/Dec/15  Updated: 15/Dec/15  Resolved: 15/Dec/15

Status: Resolved
Project: OpenAM
Component/s: oauth2, upgrade
Affects Version/s: 12.0.3
Fix Version/s: 12.0.3, 13.0.0

Type: Bug Priority: Major
Reporter: Sebastien Bertholet [X] (Inactive) Assignee: Rich Riley [X] (Inactive)
Resolution: Fixed Votes: 0
Labels: 13.0.0-Must-Fix, AME, TESLA
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
is related to OPENAM-5920 Realm associated with OAuth2 tokens i... Resolved
Target Version/s:
Rank: 1|hzqocn:

 Description   

Considering 2 OpenAM instances:

  • AM1 12.0.2 (tomme.internal.forgerock.com:8081)
  • AM2 12.0.3 (brie.internal.forgerock.com:8081)
    configured for OAuth2 on realm "myrealm")with the same external CTS DJ2.6.3

OAuth2 service is configured with:

  • issue-refresh-token set to true
  • issue-refresh-token-on-refreshing-token set to false
  • refresh-token-lifetime set to 6 months

If we generate a new access (and refresh) token on 12.0.2 with realm 'myrealm', i.e:

curl --request POST --user clientOIDC:password --data grant_type='password&username=user.0&password=password&scope=openid' 'http://tomme.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'

The corresponding ldap entry in the DJ CTS is:

dn: coreTokenId=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":[],"acr":[],"clientID":["clientOIDC"],"expireTim
 e":["1464779690710"],"grant_type":["password"],"scope":["openid"],"tokenName":[
 "refresh_token"],"authModules":[],"realm":["myrealm"],"id":["1e68ab4a-f3ce-4d3b
 -b036-ad88cce11e88"],"userName":["user.0"],"tokenType":["Bearer"]}
coreTokenString08: myrealm
coreTokenString07: Bearer
coreTokenType: OAUTH
coreTokenString09: clientOIDC
coreTokenString10: refresh_token
coreTokenId: 1e68ab4a-f3ce-4d3b-b036-ad88cce11e88
coreTokenExpirationDate: 20160601131450.710+0200
coreTokenString12: password
coreTokenString01: openid
coreTokenString04: -empty-
coreTokenString03: user.0

The refresh_token can be used with the same AM12.0.2 to isseu a new access_token:

curl --request POST --user clientOIDC:password --data grant_type='refresh_token&refresh_token=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88' 'http://tomme.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
{"access_token":"ce0e6f33-7f5e-4407-92c7-896bf5a87e82","scope":"openid","id_token":"eyAidHlwIjogIkpXVCIsICJraWQiOiAiNjUxYjZlMzMtNDIxOC00OGYyLWFhNDQtMjZmNzA3NDRiMTUyIiwgImN0eSI6ICJKV1QiLCAiYWxnIjogIlJTMjU2IiB9.eyAiYXRfaGFzaCI6ICIyc2J3RXJVY3QxQ2FNU1JsblhIdFRBIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHA6Ly90b21tZS5pbnRlcm5hbC5mb3JnZXJvY2suY29tOjgwODEvb3BlbmFtL29hdXRoMm15cmVhbG0iLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6IFsgImNsaWVudE9JREMiIF0sICJvcHMiOiAiMWJiNTIxZGYtZmEyYy00ODExLWE1NzctNDkyZGJkZjMwMGYwIiwgImF6cCI6ICJjbGllbnRPSURDIiwgImF1dGhfdGltZSI6IDE0NDkyMzEyOTMsICJyZWFsbSI6ICJteXJlYWxtIiwgImV4cCI6IDE0NDkyMzE4OTMsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ0OTIzMTI5MyB9.ZknT-44-aWERuMxU1CCNshUPuLBQXGsln8FEPh1P9pvPVWgI2UhJOypkEpkAJC9ymiv1ySL9U36NxZdCBMGeQhg2MrI5qF1GZNtLm6wNhmWKXJtEpJKWE86kibdVfRW_snozYdNtuWM2bXXl4pBmiQD-zbktsWclmGdNYNZJ-ck","token_type":"Bearer","expires_in":3599}

but it it's not properly recognized by the AM12.0.3 instance, no matter if we specify realm 'myrealm' or '/myrealm'

# curl --request POST --user clientOIDC:password --data grant_type='refresh_token&refresh_token=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88' 'http://brie.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
{"error_description":"grant is invalid","error":"invalid_grant"}

curl --request POST --user clientOIDC:password --data grant_type='refresh_token&refresh_token=1e68ab4a-f3ce-4d3b-b036-ad88cce11e88' 'http://brie.internal.forgerock.com:8081/openam/oauth2/access_token?realm=/myrealm'
{"error_description":"grant is invalid","error":"invalid_grant"}

Indeed, it looks like 12.0.3 is always appending '/' to the realm, for instance when issuing a new access/refresh token: 

curl --request POST --user clientOIDC:password --data grant_type='password&username=user.0&password=password&scope=openid' 'http://brie.internal.forgerock.com:8081/openam/oauth2/access_token?realm=myrealm'
dn: coreTokenId=00a9e049-1ac9-45e4-a1ca-0f7778486f4f,dc=com
objectClass: top
objectClass: frCoreToken
coreTokenObject: {"redirectURI":[],"acr":[],"clientID":["clientOIDC"],"expireTim
 e":["1464783070976"],"grant_type":["password"],"scope":["openid"],"tokenName":[
 "refresh_token"],"authModules":[],"realm":["/myrealm"],"id":["00a9e049-1ac9-45e
 4-a1ca-0f7778486f4f"],"userName":["user.0"],"tokenType":["Bearer"]}
coreTokenString01: openid
coreTokenString12: password
coreTokenString10: refresh_token
coreTokenString04: -empty-
coreTokenString03: user.0
coreTokenExpirationDate: 20160601141110.976+0200
coreTokenString08: /myrealm
coreTokenString09: clientOIDC
coreTokenId: 00a9e049-1ac9-45e4-a1ca-0f7778486f4f
coreTokenType: OAUTH
coreTokenString07: Bearer

Note: 'myrealm' in the url has been converted to '/myrealm' in the ldap entry.

That's probably why it's not able to validate any refresh_token created from 12.0.2 with real 'myrealm'



 Comments   
Comment by Peter Major [X] (Inactive) [ 04/Dec/15 ]

Most likely this is related to OPENAM-5920

Comment by Peter Major [X] (Inactive) [ 04/Dec/15 ]

Potentially 13 suffers from the same problem

Comment by Andy Hall [ 07/Dec/15 ]

Some major customers want refresh tokens of 2 years. This would span at least one upgrade, so we should fix this.

Generated at Sat Feb 27 04:25:57 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.